On the Complexity of Compressing Obfuscation
|
|
- Edwina McKinney
- 5 years ago
- Views:
Transcription
1 On the Complexity of Compressing Obfuscation Gilad Asharov Naomi Ephraim Ilan Komargodski Rafael Pass Abstract Indistinguishability obfuscation has become one of the most exciting cryptographic primitives due to its far reaching applications in cryptography and other fields. However, to date, obtaining a plausibly secure construction has been an illusive task, thus motivating the study of seemingly weaker primitives that imply it, with the possibility that they will be easier to construct. In this work, we provide a systematic study of compressing obfuscation, one of the most natural and simple to describe primitives that is known to imply indistinguishability obfuscation when combined with other standard assumptions. A compressing obfuscator is roughly an indistinguishability obfuscator that outputs just a slightly compressed encoding of the truth table. This generalizes notions introduced by Lin et al. (PKC 2016) and Bitansky et al. (TCC 2016) by allowing for a broader regime of parameters. We view compressing obfuscation as an independent cryptographic primitive and show various positive and negative results concerning its power and plausibility of existence, demonstrating significant differences from full-fledged indistinguishability obfuscation. First, we show that as a cryptographic building block, compressing obfuscation is weak. In particular, when combined with one-way functions, it cannot be used (in a black-box way) to achieve public-key encryption, even under (sub-)exponential security assumptions. This is in sharp contrast to indistinguishability obfuscation, which together with one-way functions implies almost all cryptographic primitives. Second, we show that to construct compressing obfuscation with perfect correctness, one only needs to assume its existence with a very weak correctness guarantee and polynomial hardness. Namely, we show a correctness amplification transformation with optimal parameters that relies only on polynomial hardness assumptions. This implies a universal construction assuming only polynomially secure compressing obfuscation with approximate correctness. In the context of indistinguishability obfuscation, we know how to achieve such a result only under sub-exponential security assumptions together with derandomization assumptions. Lastly, we characterize the existence of compressing obfuscation with statistical security. We show that in some range of parameters and for some classes of circuits such an obfuscator exists, whereas it is unlikely to exist with better parameters or for larger classes of circuits. These positive and negative results reveal a deep connection between compressing obfuscation and various concepts in complexity theory and learning theory. Cornell Tech, New York, NY 10044, USA. asharov@cornell.edu. Supported by a Junior Fellow award from the Simons Foundation. Cornell University, Ithaca, NY 14853, USA. nephraim@cs.cornell.edu. Supported by an AFOSR grant FA Cornell Tech, New York, NY 10044, USA. komargodski@cornell.edu. Supported in part by a Packard Foundation Fellowship and by an AFOSR grant FA Cornell Tech, New York, NY 10044, USA. rafael@cs.cornell.edu. Supported in part by NSF Award CNS , NSF Award CNS , NSF Award CNS , AFOSR Award FA , a Microsoft Faculty Fellowship, and a Google Faculty Research Award.
2 Contents 1 Introduction Our Results Related Work Paper Organization Technical Overview Correctness Amplification A Universal Construction Impossibility of Key-Agreement Statistically Secure Compressing Obfuscation Preliminaries Compressing Obfuscation Correctness of Obfuscation Puncturable Pseudorandom Functions Non-Interactive Zero Knowledge Commitment Schemes Error-Correcting Codes Functional Encryption Correctness Amplification From Approximately-Correct XiO to Worst-Case Correct XiO (1/poly negl)-worst Case XiO to (1 negl)-worst Case XiO (1 negl)-worst Case Correct XiO to Perfectly Correct XiO Wrapping Up Proof of Theorem Impossibility of Key Agreement from XIO and OWFs Preliminaries Oracle-Aided Bit Agreement XiO for Oracle-Aided Circuits The Class of Reductions Proof Overview and the Oracle Γ Existence of a OWF Relative to Γ Existence of XiO Relative to Γ Breaking Perfect Key Agreement Relative to Γ Proof of Theorem Compressing Obfuscation with Statistical Security Negative Results Positive Results References 57
3 1 Introduction Program obfuscation is an intriguing and powerful concept in modern cryptography. A program obfuscator is a compiler that scrambles programs into ones that are hard to reverse engineer, while preserving their functionality. The predominant notion that captures the above concept is indistinguishability obfuscation, introduced in the seminal work of Barak et al. 15], which has inspired a vibrant area of research in recent years. Informally, indistinguishability obfuscation (io) guarantees that the obfuscations of two functionally equivalent circuits of the same size are computationally indistinguishable. There are two main reasons why io has become such a central primitive its potential to exist and its power. As opposed to stronger notions of obfuscation that are known not to exist for all circuits (such as virtual black-box obfuscation 15]), general purpose io might be realizable, and in fact, since the work of Garg et al. 44] many candidate constructions of io have emerged 44, 32, 14, 6, 86, 50, 9, 91, 49]. As for its power, io serves as a hub for an impressive number of cryptographic primitives, ranging from classical concepts such as one-way functions 69], public-key encryption 88], trapdoor permutations 20], ZAPs and non-interactive witness-indistinguishable proofs 19], to ones that are still far beyond the reach of any other assumption, such as deniable encryption 88], fully-secure multi-input functional encryption 53], and many others. Despite immense efforts to construct io from concrete assumptions, all currently known candidate constructions have been shown to be vulnerable to attacks 8, 13, 27, 37, 38, 39, 78, 82]. 1 Another line of work shows how to construct io from some seemingly simpler or weaker generic cryptographic primitives (together with more standard assumptions). These include primitives such as low-degree multilinear maps 71, 72, 5, 75], compact functional encryption schemes 4, 21], compact randomized encodings 74], and variants of exponentially-efficient indistinguishability obfuscation 18, 73], all of which have no known instantiations from standard assumptions. The difficulty of constructing io motivates the study of such seemingly weaker cryptographic primitives, with the hope that such a study could elucidate the foundations of io. In this paper, we focus on the primitive which is arguably the simplest to define and the closest in its nature to io: indistinguishability obfuscation with nontrivial compression, or in short, compressing obfuscation. Compressing obfuscation. For functions t(s, n) and l(s, n), we say that an obfuscator O is (t, l)-compressing if, when given a circuit C of size s on n inputs, the obfuscator O(C) runs in time t(s, n) and has output length l(s, n). In the case of io, both t and l are polynomial in s and n, but in general, we allow them to be super-polynomial, or even (sub-)exponential. This definition generalizes existing relaxations of io (such as XiO and SXiO which we discuss below) and allows us to characterize the extent to which efficiency impacts the existence, applications, and limitations of obfuscation. Throughout this work, we mostly focus on the following two settings of parameters, which intuitively, are relaxed versions of io that only allow obfuscating circuits with logarithmic input size: XiO. The first (and weaker) setting of parameters is that of exponentially-efficient io (XiO), introduced by Lin et al. 73]. XiO allows the running time of the obfuscator to be as large as the truth table of the circuit to be obfuscated, but requires the size of the obfuscated circuit to be slightly smaller than its truth table. More formally, for a function c (which denotes the compression of XiO), we say that c-xio is a (t, l)-compressing obfuscator with t(s, n) = poly(2 n, s) and l(s, n) = c(n) poly(s). When there exists a constant ɛ > 0 such that c(n) = 2 n(1 ɛ), we denote c-xio simply by XiO. Lin et al. 73] showed that XiO for all circuits and Learning With Errors (LWE), both with sub-exponential security, imply io. 1 Some of the attacks apply directly to the candidate construction while some only apply to the underlying graded encoding scheme 40, 49, 41]. See Ananth et al. 2, Appendix A] for an overview. 1
4 SXiO. The second (and stronger) setting of parameters is that of strong XiO (SXiO), introduced by Bitansky et al. 18]. SXiO requires that the time to obfuscate a circuit is slightly smaller than the truth table of the circuit. More formally, for a function c, we say that c-sxio is a (t, l)-compressing obfuscator with t(s, n) = l(s, n) = c(n) poly(s). Similar to the above case, when there exists some constant ɛ > 0 such that c(n) = 2 n(1 ɛ), we denote this simply by SXiO. Bitansky et al. 18] showed that SXiO and any public-key encryption, both with sub-exponential security, imply io. This was strengthened by Kitigawa et al. 68], who showed that SXiO and any one-way function, with sub-exponential security, imply io. These two settings of parameters have seemingly minor differences, but nevertheless, are not known to be equivalent. Moreover, as mentioned above, their known implications illustrate the richness of the world of compressing obfuscation, and indicate that efficiency is a fundamental property of obfuscation. Since the regime of parameters for compressing obfuscation is somewhat non-standard (especially, the distinction between time and output length in XiO), it has not received adequate attention, and as a result we know very little about it. In this work, we provide a systematic study of compressing obfuscation as an independent cryptographic primitive, and thus characterize the extent to which efficiency plays a role in obfuscation. 1.1 Our Results Our results span a wide range of topics concerning compressing obfuscation, including limitations of its power, existence in an information-theoretic setting, constructions for limited classes of functions, and correctness amplification. XiO vs. PKE. We start by exploring the power of XiO as an independent cryptographic primitive. One the one hand, we know that when combined with LWE it implies full-fledged io (which in turn implies almost all cryptographic primitives). On the other hand, as opposed to io 69], we do not even know whether XiO by itself 2 implies one-way functions the most basic cryptographic primitive. One of the original applications of obfuscation, which was proposed by Diffie and Hellman back in ], is to transform private-key encryption into public-key encryption. When combined with one-way functions, io can be used to perform such a transformation, as shown by 44, 88]. This transformation can also be obtained starting from sub-exponentially secure SXiO and one-way functions 68]. This raises the same question regarding XiO: Can it bridge the gap between the world of privatekey cryptography and that of public-key cryptography? We provide evidence that it cannot, and thus show a concrete lower bound on its potential power. Theorem 1.1 (informal). There is no fully black-box construction of a perfectly correct key-agreement protocol from one-way functions and perfectly correct 2 (1 ɛ)n -XiO for any constant ɛ > 0, even with sub-exponential security. Our result follows the extended black-box model of 47, 48], and in particular holds even if the XiO scheme can obfuscate oracle-aided circuits which contain both XiO and one-way function gates. This model is stronger than the one considered in 10, 11, 16], in which the obfuscator is allowed to obfuscate circuits with only one-way function gates. By allowing circuits to contain all possible oracle gates, our framework captures the self-feeding techniques used in the context of io and related primitives. Thus, our result is one of the strongest forms of the classical separation between one-way functions and pubic-key encryption due to Impagliazzo and Rudich 64]. We note that our 2 Assuming any average- or worst-case hardness assumption. This is necessary as XiO exists unconditionally if P = NP. 2
5 result does not separate imperfectly correct key-agreement from (perfectly correct) XiO and one-way functions. Previously, by combining 10, 18], a related result follows but in a significantly weaker blackbox model and for XiO with somewhat weak compression. Concretely, 10] showed a separation of perfect key-agreement from imperfect private-key FE in a black-box model where one can obfuscate functions that have only one-way function gates, and 18] showed a black-box construction of 2 n/2 - XiO from such private-key FE. This implies a separation from 2 (1 ɛ)n -XiO where 0 < ɛ 1/2, and when only allowing XiO to obfuscate circuits containing one-way function gates. Statistical security. Our result that it is unlikely that key-agreement can be constructed from XiO and one-way functions can be viewed as good news, as it hints that XiO is a somewhat weak primitive, and therefore it might be possible to base its existence on well-studied assumptions. In fact, it might even be possible that compressing obfuscation exists unconditionally (even if P NP). Toward this end, we show almost matching upper and lower bounds for the existence of compressing obfuscation with statistical security, both for the case of perfect correctness and that of approximate correctness. Our results show tight connections between compressing obfuscation and various concepts in complexity theory and learning and thus we view this as one of the central takeaways of this work. For the case of approximate correctness, we show a 2 nɛ -SXiO for ɛ > 0 for small classes of circuits (such as AC 0 ). On the other hand, we show that such an obfuscator cannot exist for larger classes of circuits that contain a (puncturable) PRF, unless SAT AM2 nɛ ], where SAT is the problem of deciding whether a formula is unsatisfiable and AMt(n)] is the class of all languages on instances of size n that have an AM protocol in which the running time of the verifier and the message sizes are at most t(n). Theorem 1.2 (informal). There exists a statistically secure and approximately correct 2 nɛ -SXiO for AC 0 and ɛ > 0. On the contrary, unless SAT AM2 nɛ ], there is no such obfuscator for any class that contains a (puncturable) PRF. This result naturally leads to the question of whether we can get a similar statement for the case of perfect correctness. We are unable to get such a result for SXiO, but we do get it for XiO, albeit with worse compression. 3 Theorem 1.3 (informal). There exists a 2 n(1 ɛ) -XiO for ɛ 1/poly log(n) with statistical security and perfect correctness for AC 0. Ruling out statistically secure XiO with any compression is left as an open problem. We do show that unless SAT AM2 c(1 ɛ)n ] for a universal constant c N, there is no statistically secure and perfectly correct 2 n(1 ɛ) -SXiO for AC 0 (see Theorem 6.2). It is known, by the recent result of Williams 90], that SAT AMÕ(2n/2 )]. However, it might be that for larger values of ɛ (such as ɛ = 1 (0.1/c) or even ɛ = 1 o(1)) it holds that SAT / AM2 c(1 ɛ)n ]. The positive results are based on classical (PAC) learning algorithms 89, 76] and the circuit compression algorithm of 36]. Both negative results above rely on and extend the following analogous arguments from the io literature 55, 29]. The first is of Goldwasser and Rothblum 55] who showed that statistical io with perfect correctness cannot exist unless NP SZK. The second is of Brakerski, Brzuska, and Fleischhacker 29] who extended the result of 55] to handle statistical io with approximate correctness by showing that unless conp AM, it cannot exist (assuming additionally one-way functions). 3 The obfuscator we get is weak due to two reasons. First, the class for which we obtain XiO does not contain (puncturable) PRFs and thus is not sufficient for known transformations to io. Second, the compression we achieve is not enough for cryptographic applications. 3
6 Correctness amplification. Our results above suggest that approximate correctness might be easier to achieve than perfect correctness, in an information theoretic setting. Is this the case also in the computational setting? To address this question, we show a transformation from approximately correct XiO to perfectly correct XiO, assuming the original XiO applies to a large enough class of circuits. This transformation achieves optimal parameters and only incurs polynomial security loss, indicating that correctness is not the bottleneck in constructing XiO from standard assumptions. Theorem 1.4 (informal). If there exists an XiO scheme for all polynomial size circuits which is correct with probability (1/2 + 1/poly) over the the inputs and the obfuscation, then there exists a perfectly correct XiO scheme, assuming polynomially-secure LWE and NIZKs. 4 Prior to this result, there were no correctness amplification procedures for XiO which required only polynomial security or achieved optimal parameters. Correctness amplifications for related primitives, such as those of 22, 3] for io, do not apply to XiO, since they involve a random selfreducibility step which inherently requires running the obfuscator on polynomial-size inputs. The transformation of Bitansky et al. 17] shows how to transform an XiO which is correct with probability 0.99 over the inputs and the obfuscation to a weak notion of functional encryption. This notion of functional encryption was known to imply a relaxed notion of XiO, namely, XiO with preprocessing 73]. Our transformation works for a much weaker notion of correctness (as opposed to.99) and results in full-fledged, perfectly correct XiO (as opposed to XiO with preprocessing). Technically, our regime of parameters introduces many difficulties which require us to tailor a construction that is based on a delicate combination of various types of error-correcting codes together with cryptographic primitives (inspired by 81]). While we show this transformation for the case of XiO, our result extends naturally to the case of SXiO. In particular, we can obtain perfectly correct XiO from the transformation, or SXiO which is correct on all but a negligible fraction of obfuscations. Universal construction. Using our correctness amplification procedure, we obtain a universal construction of an XiO (resp. SXiO), assuming only the mere existence of XiO (resp. SXiO) with polynomial security and only (very weak) approximate correctness. For XiO, the resulting universal construction satisfies perfect correctness. Note that in the context of io, perfect correctness is known to be achievable using only derandomization assumptions 23]. Our result is obtained by adapting the robust combiner of Ananth et al. 2] to the setting of XiO (resp. SXiO) and then using our correctness amplification transformation. 1.2 Related Work Universal construction and robust combiners. It was shown in 59] that, in general, a robust combiner implies the existence of a universal construction. A robust combiner for a cryptographic primitive takes several candidate constructions of the primitive and outputs one construction that is as good as any of the input constructions (see also 62, 63]). A combiner for encryption appears already in 12], and perhaps the most known universal construction is that of one-way functions, due to 70]. Combiners for obfuscation were given in 43, 2, 3]. The work of 2] shows a robust combiner for indistinguishability obfuscation with sub-exponential security loss, and assuming either LWE or DDH. The work of 3] removes the sub-exponential assumption, but does not go all the way to io it shows a transforming combiner from candidates for indistinguishability obfuscation of which one of them is polynomially secure to a secure functional encryption scheme. 4 Using the recent work of 67], we believe that the assumption on NIZKs can be removed. We leave this modification to future work. 4
7 Existence of io. Mahmoody et al. 79] showed that io cannot be based on random oracles or on constant degree multilinear maps (in a black-box way). Garg et al. 47] showed that io cannot be constructed from any type of encryption that has an all-or-nothing type of security (as in PKE or Witness Encryption). Lastly, Garg et al. 48] studied the minimal compactness needed from a functional encryption scheme to imply io, and gave matching constructions, following 4, 21]. In both 47, 48], the results hold even if the primitives upon which io cannot be based can receive circuits containing gates for each of the primitive s subroutines. Limitations on the power of io were studied by Asharov and Segev 10, 11] and by Bitansky, Degwekar and Vaikuntanathan 16]. So far, we know that io and one-way functions do not imply collision-resistant hash functions 10], domain-invariant one-way permutations 11], and hardness in NP conp 16]. Also, io and one-way permutations do not imply hardness in SZK 16]. Relaxations of io. In addition to (S)XiO, another relaxation of io is decomposable obfuscation (do), which was recently introduced by Liu and Zhandry 77]. Decomposable obfuscation relaxes the security requirement of io by requiring that obfuscations of circuits which satisfy a new notion of functional equivalence are indistinguishable. In particular, it is efficient to verify if two circuits satisfy their notion of functional equivalence, unlike traditional functional equivalence. This is similar to the case of XiO, because it is applied on circuits with only logarithmic input size for polynomial time applications. In 77], they question whether io with efficiently verifiable functional equivalence implies public-key encryption. In fact, they have to assume the existence of public-key encryption for all the applications of do that they show which imply public-key encryption. As mentioned above, we show a separation from XiO and OWFs to public key encryption. Therefore, our result serves as further evidence to the hypothesis that (non) efficiently checkable functional equivalence is one of the key factors which distinguishes io from notions like XiO and do. Compressing primitives. Recently, compressing witness encryption (WE) was studied by Brakerski et al. 30]. Witness encryption, introduced by Garg et al. 45], allows encrypting a message relative to a statement x L for a language L NP such that anyone holding a witness to the statement can decrypt the message, but if x / L, then it is computationally hard to decrypt. A compressing WE is such that the encryption time (and thus size) is less than the time it takes to solve the NP instance. Brakerski et al. showed that such a WE scheme can be constructed under standard assumptions (such as LWE or bilinear maps with sub-exponential security). This is in sharp contrast to SXiO (or even XiO). 1.3 Paper Organization We proceed with a technical overview of our results. Then, in Section 3 we overview our definitions. In Section 4 we show our correctness amplification, and in Section 5 we prove our impossibility result of construction key-agreement protocol from XiO and OWFs. In Section 6 we present our positive and negative regarding statistically secure XiO. 2 Technical Overview In this section we provide a high level overview of our results. We start with the correctness amplification (and its application to universal constructions) in Section 2.1. We proceed with the limitations on the power of XiO in Section 2.2, and conclude with our constructions and impossibilities of statistically secure XiO in Section
8 2.1 Correctness Amplification Our correctness amplification for XiO is a transformation from an approximately correct XiO scheme to an XiO scheme that is perfectly correct. Here, by approximately correct, we mean an XiO scheme which is correct with probability (1/2+1/poly) over the inputs and the obfuscation, and by perfectly correct, we mean an XiO scheme which is correct on all inputs and all obfuscations with probability 1. The starting point for our correctness amplification is the transformation of Bitansky et al. 17], which transforms an XiO scheme which is correct with probability.99 over the obfuscation and the inputs to a functional encryption (FE) scheme which is correct on all inputs (with all but negligible probability). At a high level, FE is a type of encryption which enables generating functional keys, such that decryption of a ciphertext corresponding to a message m with a functional key for a circuit C results in C(m). The hope is that if we can adapt the 17] transformation to our case, then we can attempt to transform the correct FE back to XiO. From approximately correct XiO to correct FE. In 17], they first observe that by averaging and standard BPP-type amplification, their XiO scheme can be amplified to one which is correct with probability.9 only over the inputs. Then, they transform this XiO to a correct FE using an error-correcting code, as follows. To encrypt a message m, they obfuscate a circuit G m which, on input i, outputs an encryption of (m, i) using a succinct functional encryption scheme sfe, that exists based on LWE 54]. Call the resulting obfuscated circuit G m. To generate a functional key for a circuit C, they generate an sfe functional key for a circuit C that on input (m, i) outputs the ith bit of ECC(C(m)), where ECC is an error-correcting code. To decrypt, they first evaluate the obfuscated circuit G m on every input i to obtain a list of encryptions of (m, i) for all i. Then, they use the sfe functional key to decrypt each of these encryptions and finally, decode the result. The reason why this is enough for 17] is that, first, by the BPP amplification, they obtain correct encryptions of (m, i) for a.9 fraction of i s, with all but negligible probability over the obfuscation. This lets them calculate (ECC(C(m)) i for a large ( 3/4) fraction of the i s. Second, they rely on the error-correcting code which, given (ECC(C(m)) i for many ( 3/4) i s, can recover C(m). In our case, a natural attempt would be to replicate their first step and then use an errorcorrecting code with better parameters for the second step. However, this approach fails: we are only guaranteed correctness with probability (1/2 + 1/poly(λ)) over the obfuscation and the inputs, which is not enough for averaging and BPP-type amplification. Nevertheless, the framework of 17] is still a convenient starting point for us. Our first challenge is to obtain every bit of the encryption of (m, i) for sufficiently many i s. One idea is to apply an error-correcting code to the output of G m, so that for any index i for which G m correctly outputs enough of the bits of the encryption of (m, i), we can decode successfully. While this is not possible for our regime of parameters using classical binary error-correcting codes, this is achievable with binary list-decodable codes, which output a list of possibilities upon decoding a codeword, rather than a unique decoding. Therefore, we modify the circuit G m to output a list-decodable encoding of the encryption of (m, i), one bit at a time, which will be decoded at decryption time. This introduces the complication that list-decoding gives many possibilities for the encryption of (m, i) for each i. To address this, we employ a combination of NIZK proofs and commitments which enable us to uniquely decode from the decoded list. At a high level, we impose the requirement that in addition to the ciphertext of (m, i), the circuit G m on input i must output a NIZK proof certifying that the ciphertext is correct. This ensures that we obtain sfe encryptions of (m, i) for a noticeable fraction of the inputs i. Thus, we have replaced the BPP-type amplification of 17] with list-decodable codes, NIZK proofs, and commitment schemes. After this change, we have that for a noticeable (but small, say 1%) fraction of the i s, we obtain a correct encryption of (m, i). If we decrypt this with the sfe secret key of 17], we would hope to obtain (ECC(C(m))) i for enough i s such that ECC can successfully decode to C(m), but this 6
9 does not quite work because we only have a very small fraction of correct encryptions. Indeed, no (binary) error-correcting code can recover from more than 50% error! To overcome this, we notice that we have additional information (thanks to the NIZK) we know exactly for which i s we obtained correct sfe encryptions of (m, i). Therefore, we replace the error-correcting code in the 17] construction with a code that can recover from a high fraction (say 99%) of erasures. To obtain optimal parameters, this requires us to have sfe output alphabet symbols rather than bits, but this does not impact the correctness of the scheme. Combining these two steps, we obtain an FE scheme with amplified correctness. As far as we know, this combination of list-decodable codes and erasure-correcting codes is novel to this work. These techniques nearly work, with the caveat that our first step only gives us the correct encryptions of enough (m, i) when the obfuscator uses good random coins. Nevertheless, this can be remedied by using BPP-type amplification and leveraging the fact that our FE scheme always decrypts to or to the correct output, C(m). Therefore, this results in an FE scheme which is correct for all inputs with all but negligible probability. From correct FE to correct XiO. The only remaining step is to transform the FE back to XiO. The FE scheme we obtain from the above transformations is weakly sublinear compact, a weak notion of compactness which does not suffice for known transformations to XiO without assuming sub-exponential security. FE with weak sublinear compactness has the property that while the encryption time is proportional to the circuit size of circuits supported by the scheme, the ciphertext lengths are compact. We take advantage of this by having an obfuscation consist of many short encryptions, which exactly captures the requirement that the obfuscator has a long running time but a nontrivial output length. In more detail, to obfuscate a circuit C, we encrypt a circuit C x for each x {0, 1} n/2, where C x ( ) = C(x ). Then, we generate a functional key sk for a circuit T, which, given a circuit on n/2 bits, outputs its truth table. The ciphertexts and functional key serve as our obfuscation, which gives the desired efficiency for XiO exactly because of the weak compactness of FE. To evaluate the obfuscation on an input x = x 1 x 2, we use FE to decrypt the ciphertext corresponding to C x1 with sk, and select the element of the truth table corresponding to x 2. This transformation yields a correct and secure XiO scheme, in which for any circuit C and every input x, it holds that the obfuscation of C at the point x agrees with C(x) with all but negligible probability. In the technical section, we present the full construction in a more streamlined manner. In particular, we compose the XiO to FE transformation with the FE to XiO transformation described above, which yields a transformation from approximately correct XiO to XiO that is correct on any input with all but negligible probability over the randomness of the obfuscator. Given an XiO which is correct on any input with all but negligible probability, we can then apply another BPP-style transformation (this time we apply parallel repetitions and then take the majority vote) to get an obfuscator that for all but negligible fraction of the obfuscations the obfuscated circuit completely agrees with the input circuit. To conclude our correctness amplification, we observe that the running time for XiO allows the obfuscator to compute the truth table of the circuit it obfuscates. Therefore, we modify the obfuscator to check if an obfuscation C of a circuit C is correct by running over all inputs. If C agrees with C, then C is used as the obfuscation, and if not, we simply output C in the clear. This takes advantage of the running time of XiO and incurs only a negligible loss in security, resulting in a perfectly correct XiO A Universal Construction An important application of correctness amplification is a universal construction. We show a universal construction for XiO (resp. SXiO) by combining our correctness amplification with the results of 2]. 7
10 A universal construction for a primitive can be obtained via a robust combiner for that primitive, which is a transformation that takes several candidate constructions of the primitive and outputs one construction that is as good as any of the input constructions. It is robust in the sense that it should work even if some of the candidates have weak correctness guarantees, have bad running times, etc. A universal construction is then acquired by enumerating over all possible candidates while making sure not to be fooled by bad faulty candidates so that we end up with a correct candidate. Thus, it is guaranteed that the resulting candidate is correct and secure. We observe that a combiner (i.e, a secure candidate assuming one exists) for XiO (resp. SXiO) can be obtained by adapting the construction for io of Ananth et al. 2] which further relied on LWE. In the case of io, their construction, on input circuit C, obfuscates a variant of C that has the same input domain as C. In the security proof, they go input-by-input over this obfuscated circuit which results in a sub-exponential security loss. We notice that, in the case of XiO (resp. SXiO), the number of inputs in the above obfuscated circuit is at most logarithmic, so the very same proof can be carried out, losing only a polynomial term. Then, to make the combiner robust we use our correctness amplification procedure. This results in a universal construction of perfect XiO (resp. imperfect SXiO), assuming the existence of XiO (resp. SXiO) with very weak correctness. 2.2 Impossibility of Key-Agreement To illustrate the difference between the power of compressing obfuscation and io, we revisit one of the primary applications of io transforming a private-key scheme into a public-key one. In the context of io, this transformation is performed by obfuscating the encryption circuit of a private-key encryption scheme, while embedding the symmetric secret key into the circuit. The public key is then simply the obfuscated circuit. In order to encrypt a message m, one has to choose randomness r and run the obfuscated circuit on (m, r) to obtain the ciphertext c. An important property of this construction is the ability to obfuscate circuits with hardwired cryptography, e.g., the evaluation circuit of a pseudorandom function with a hardwired PRF key. Since XiO is efficient only when obfuscating circuits with logarithmic size input, one cannot use the above approach with XiO even when the message space is limited to a single bit. Given the public key, the adversary can learn the entire truth table of the obfuscated circuit by enumerating over all inputs, thereby breaking the secrecy of the underlying message. Our proof formalizes this intuition, and shows that other attempts at such a transformation cannot succeed. We formalize this using a black-box separation, showing that no perfectly complete bit-agreement protocol can be constructed from perfectly correct XiO and one-way functions. Modeling non-black-box constructions. Constructions that are based on indistinguishability obfuscation are almost always non-black-box in the underlying primitives. In the example above, the circuit being obfuscated is the encryption algorithm of a private-key encryption scheme and thus contains a specific circuit representation of the underlying one-way function as a sub-circuit. More complex constructions also use techniques which require obfuscating a circuit which itself may obfuscate smaller circuits (and evaluate smaller obfuscations). To capture these types of constructions, we extend the framework of Asharov and Segev 10, 11], which enables the obfuscator to run on oracle-aided circuits, i.e., circuits that might contain oracle gates. In this manner, the specific representation of the one-way function in the example above is replaced by an oracle gate, which allows the construction to be black-box relative to the one-way function. While the results in 10, 11] hold relative to an obfuscator for circuits which can only contain one-way function gates, our separation allows circuits to contain both XiO and one-way function gates. This captures the known techniques to obtain public-key encryption from io, and is similar to the class of constructions captured in the framework of 47, 48]. We refer to 10, 11] for 8
11 details regarding this model (see also 16]), and for examples of how it captures common techniques such as the punctured programming technique of Sahai and Waters 88] and its variants. The oracle. Our result is obtained by presenting an oracle Γ relative to which the following properties hold: (1) there exists a one-way function f; (2) there exists a perfectly-correct, exponentiallysecure XiO scheme xio for all oracle-aided circuits C xio,f ; (3) for any perfectly complete bitagreement protocol between two parties, there exists an eavesdropping adversary that makes polynomially many queries to the oracle Γ and succeeds to recover the bit from the transcript of the interaction. Our oracle consists of three functions, similar to that of 11]: (1) a random function f that will serve as the one-way function; (2) a random length-increasing function O that will serve as the obfuscator (an obfuscation of an oracle-aided circuit C is a handle Ĉ = O(C, r) for a random string r), and (3) a function E that enables evaluations of obfuscated circuits: given some obfuscated circuit Ĉ and an input x, the function E looks for the lexicographically first pair (C, r) for which O(C, r) = Ĉ and returns CΓ (x). Note that if C is some circuit of size s, it can only make oracle calls to Γ on inputs smaller than s, and thus the above definition is not circular. The main difference in modeling XiO as an oracle rather than io as in 11] is the expansion factor of the oracle O. In order to capture compressing obfuscation, the expansion factor that we use is (sub-)exponential in the input size of the circuit C. While this modification is somewhat minor in syntax, it has a major effect if the expansion factor is small then it is possible to construct a polynomial time key-agreement protocol relative to such an oracle (following the construction of Sahai and Waters 88]), whereas for a larger expansion factor this becomes impossible. As for the existence of one-way functions and indistinguishability of obfuscated circuits, we derive these almost for free from 11]. In what follows, we first discuss how to break a perfectly complete key-agreement protocol relative to a random oracle as a warmup. We then discuss the challenges when dealing with our (more structured) oracle, and discuss why our approach does not work for io. Separating key-agreement from a random oracle. As a warmup, we first give an overview of the result of Impagliazzo and Rudich 64] and Brakerski et al. 31], who show that for any two polynomial time oracle-aided algorithms A and B, if A f, B f implements a perfectly-correct bitagreement protocol for all functions f, then there exists an oracle-aided algorithm E such that for any function f learns the agreed bit with probability 1 by making only a polynomial number of oracle queries to f. The adversary E is given a transcript T which is a result of an interaction of A and B relative to some oracle f, and is required to find the key k that A and B agreed on. Denote by ra (resp. r B ) the randomness used by A (resp. B) in the real interaction that produced T. The adversary E initializes a set of queries/answers Q, which will contain the actual queries made by E to the true oracle f. It also initializes a multiset K =, and repeats the following polynomially many times: Simulation: E simulates an oracle f that is consistent with Q (i.e., f (w) = f(w) for every w Q), and randomness r A, r B such that the interaction Af (r A ), Bf (r B ) (i.e., running the protocol with respect to the function f with randomness r A for A and r B for B) results in the transcript T and key k. E adds k to K. Update: E asks f for all queries made to f by A or B in the simulation that are not already in Q, and updates the set Q. At the end of the attack, E outputs the majority value in K. The proof then relies on the following observation: In each iteration, either (1) in the update phase, E finds at least one new query that is also made by either A or B during the real interaction with the function f that produced the transcript T ; or (2) E adds the real key k to K. 9
12 Intuitively, if (1) does not hold, then the perfect correctness of the bit-agreement protocol guarantees that (2) holds. In particular, in that case it is possible to construct a hybrid oracle f that behaves like f in the real execution of A, i.e., A f (ra ), and behaves like f in the simulated evaluation of B, i.e., B f (r B ). According to this hybrid oracle, an execution of A with randomness ra and an execution of B with randomness r B would result in the transcript T, A would output k (as in the real execution) and B would output k (as in the simulation). Perfect correctness then tells us that k = k. This hybrid oracle can be constructed since the intersection of the set of queries made in the simulated execution and those made in the real execution is already contained in Q, and therefore there are no contradicting queries (i.e., queries w that appear in both executions for which f(w) f (w)). As the number of oracle queries A and B make during the execution of the protocol is some polynomial q, the majority value in K is guaranteed to be the correct key after 2q + 1 iterations. Attacking key-agreement relative to our oracle. We extend the attack described above relative to our oracle Γ, which is a significantly more structured than a random oracle and therefore raises several challenges. Recall that our oracle Γ consists of a three functions f, O, and E, that are dependent. Following the above template, we construct an adversary that simulates an execution that produces the transcript T with some simulated oracle Γ = (f, O, E ). There are three main challenges with this approach: 1. The first challenge is to show that A and B cannot gain extra information from oracle queries that are not in the intersection of their query sets. In particular, in the case of a random oracle, the shared information between A and B can be recovered completely from their shared oracle queries and the transcript T. In our setting, since the oracles f, O, and E have dependence, this may not be the case. 2. The second challenge is due to the fact that queries made by A and B could cause hidden oracle queries. Since we allow obfuscated circuits to contain oracle gates, this could occur when obfuscated circuits are evaluated by A and B. In particular, the output of the evaluation could reveal query-answer pairs on queries that were never directly asked by A or B. Thus, we must show that A and B cannot indirectly learn too many query-answer pairs this way. 3. The third challenge is to show that a hybrid oracle Γ = ( f, Õ, Ẽ) can be constructed from the two sets of queries, i.e., from the simulated execution and the real execution. As an example, suppose there is a query E(Ĉ, x) that is performed in the real execution and a different query E (Ĉ, y) that appears in the simulated execution. Such two queries raise a challenge for constructing a hybrid oracle Ẽ which is consistent with these two queries simultaneously. In order to see this, suppose that in the real execution, the lexicographically first pair (C, r) for which O(C, r) = Ĉ is some pair (C 1, r 1 ), and in the simulated execution the lexicographically first pair (C, r) for which O (C, r) = Ĉ is some pair (C 2, r 2 ) (C 1, r 1 ). As a result, E(Ĉ, x) in the real execution is mapped to C1 Γ (x), whereas E (Ĉ, y) is mapped to CΓ 2 (y), but C 1 C 2. We solve the first challenge by adding additional oracle queries to the set of real queries that the parties make, which makes the dependence between the oracles more explicit. We solve the second challenge by showing that any oracle query can only cause polynomially many additional indirect queries. In particular, for a circuit C Γ of size s, any indirect queries are on circuits smaller than s. We use this in conjunction with the (sub-exponential) expansion factor of our oracle O to show that the number of indirect queries are bounded, and thus the adversary E can learn any indirect queries that A and B learn by only making polynomially many additional queries. As for the third challenge, interestingly, our proof does not completely solve it, and we do not fully control to which one of the two circuits C 1 or C 2 the hybrid oracle Ẽ maps Ĉ. Nevertheless, 10
13 we design the adversary such that, whenever there is such a contradicting scenario between the real execution and the simulated execution, it must hold that C 1 and C 2 are functionally equivalent with respect to the hybrid oracle Γ. Otherwise, i.e., when there is some input for which C 1 and C 2 do not agree, we claim that the adversary learns a new query that is associated with the real execution. As a consequence, E learns the entire truth table of any obfuscated circuit Ĉ that is associated with the real execution, which is possible due to the fact that querying the oracle Γ on all inputs of Ĉ results in polynomially many queries. Notably, for a different expansion factor of the oracle O (which results in io and not XiO), this becomes an exponential number of queries, and the above attack fails. 2.3 Statistically Secure Compressing Obfuscation This set of results is composed of two main parts. One is positive results showing that for small classes of circuits compressing obfuscation exists unconditionally. The other complements the constructions and shows that improvements in the above obfuscator, either in the compression factor or in the circuit class, will imply some nontrivial speedup for protocols solving UNSAT. We have positive and negative results both for the case of perfect correctness and for the case of approximate correctness. Negative results. First, we show that that approximately correct and statistically secure 2 nɛ - SXiO cannot exist unless conp AM2 nɛ ] for ɛ > 0. Here, we follow on the approach of 29] from the world of io. There, they show how to use io and puncturable PRFs to create two circuits that differ at a single point but their obfucations (as random variables) are statistically far. Then, they use an algorithm that can distinguish these two distributions to solve Unique-SAT which then implies that conp AM by a result of Mahmoody and Xiao 80]. We modify the argument to work with compressing obfuscation by making the two circuits receive only short inputs, and observe that the proof still goes through, but then solving Unique-SAT on short inputs (say of poly-logarithmic size). We then apply the result of Mahmoody and Xiao and finally obtain our result by scaling the parameters. Second, we show that perfectly correct and statistically secure 2 n(1 ɛ) -SXiO cannot exist unless conp AM2 (1 ɛ)n ] (with large enough 0 < ɛ < 1). For this, we construct an SZK2 (1 ɛ)n ] protocol for all NP. In this protocol, the verifier, given x L for a language L, chooses a bit b uniformly at random and obfuscates a circuit that gets a witness w as input, checks whether it is a valid witness for x and if so, it outputs b (otherwise it outputs ). This protocol can be shown to be honest-verifier statistical zero-knowledge with a verifier that runs in time 2 (1 ɛ)n for L. This argument is reminiscent to the argument of 69, 55] in the context of io. We then carefully apply the transformation of Okamoto 84] to translate this protocol into an (honest-verifier) SZK protocol for every language in conp. This implies that conp AM2 (1 ɛ)n ]. Positive results. We show that compressing obfuscators exists unconditionally for restricted classes of circuits such as AC 0 (the class of all constant-depth circuits) and Mon (the class of all monotone functions). We again construct compressing obfuscators with perfect correctness and approximate correctness. The approximately correct obfuscators are obtained by running a classical (PAC) learning algorithm 89] on the given circuit and outputting the hypothesis. Using the most efficient learning algorithms for AC 0 and Mon, we obtain compressing obfuscators for these classes. This construction is aligned with the above impossibility that says that we are unlikely to be able to get such an obfuscator for classes that contain a (puncturable) PRF. In the perfect correctness case, we use a different tool called a circuit compression algorithm 36]. In circuit compression one is given the truth table of a Boolean function f computable by some unknown circuit from a known class of circuits, and the goal is to find in time poly(2 n ) a circuit C 11
Lecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationIndistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption
Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption Fuyuki Kitagawa 1 Ryo Nishimaki 2 Keisuke Tanaka 1 1 Tokyo Institute of Technology, Japan {kitagaw1,keisuke}@is.titech.ac.jp
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationOutput-Compressing Randomized Encodings and Applications
Output-Compressing Randomized Encodings and Applications Huijia Lin Rafael Pass Karn Seth Sidharth Telang December 18, 2015 Abstract We consider randomized encodings (RE) that enable encoding a Turing
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More information: On the P vs. BPP problem. 18/12/16 Lecture 10
03684155: On the P vs. BPP problem. 18/12/16 Lecture 10 Natural proofs Amnon Ta-Shma and Dean Doron 1 Natural proofs The ultimate goal we have is separating classes (or proving they are equal if they are).
More informationExtending Oblivious Transfers Efficiently
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation? myth don
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationDistinguisher-Dependent Simulation in Two Rounds and its Applications
Distinguisher-Dependent Simulation in Two Rounds and its Applications Abhishek Jain Yael Tauman Kalai Dakshita Khurana Ron Rothblum Abstract We devise a novel simulation technique that makes black-box
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationA Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)
A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC) Bruce Kapron, Lior Malka, Venkatesh Srinivasan Department of Computer Science University of Victoria, BC, Canada V8W 3P6 Email:bmkapron,liorma,venkat@cs.uvic.ca
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLimits of Extractability Assumptions with Distributional Auxiliary Input
Limits of Extractability Assumptions with Distributional Auxiliary Input Elette Boyle Cornell University ecb227@cornell.edu Rafael Pass Cornell University rafael@cs.cornell.edu November 20, 2013 Abstract
More informationIS VALIANT VAZIRANI S ISOLATION PROBABILITY IMPROVABLE? Holger Dell, Valentine Kabanets, Dieter van Melkebeek, and Osamu Watanabe December 31, 2012
IS VALIANT VAZIRANI S ISOLATION PROBABILITY IMPROVABLE? Holger Dell, Valentine Kabanets, Dieter van Melkebeek, and Osamu Watanabe December 31, 2012 Abstract. The Isolation Lemma of Valiant & Vazirani (1986)
More informationOne-Way Functions and (Im)perfect Obfuscation
One-Way Functions and (Im)perfect Obfuscation Ilan Komargodski Tal Moran Moni Naor Rafael Pass Alon Rosen Eylon Yogev Abstract A program obfuscator takes a program and outputs a scrambled version of it,
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationLectures One Way Permutations, Goldreich Levin Theorem, Commitments
Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier
More informationLimits of Extractability Assumptions with Distributional Auxiliary Input
Limits of Extractability Assumptions with Distributional Auxiliary Input Elette Boyle Technion Israel eboyle@alum.mit.edu Rafael Pass Cornell University rafael@cs.cornell.edu August 24, 2015 Abstract Extractability,
More informationVirtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding
Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding Zvika Brakerski 1 and Guy N. Rothblum 2 1 Weizmann Institute of Science 2 Microsoft Research Abstract. We present a new general-purpose
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationMaking the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits
Making the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits Yuval Ishai Mor Weiss Guang Yang Abstract A Probabilistically Checkable Proof PCP) allows a randomized verifier,
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationFrom Weak to Strong Zero-Knowledge and Applications
From Weak to Strong Zero-Knowledge and Applications Kai-Min Chung Academia Sinica kmchung@iis.sinica.edu.tw Edward Lui Cornell University luied@cs.cornell.edu January 20, 205 Rafael Pass Cornell University
More informationFinding Collisions in Interactive Protocols Tight Lower Bounds on the Round and Communication Complexities of Statistically Hiding Commitments
Finding Collisions in Interactive Protocols Tight Lower Bounds on the Round and Communication Complexities of Statistically Hiding Commitments Iftach Haitner Jonathan J. Hoch Omer Reingold Gil Segev December
More informationOn Achieving the Best of Both Worlds in Secure Multiparty Computation
On Achieving the Best of Both Worlds in Secure Multiparty Computation Yuval Ishai Jonathan Katz Eyal Kushilevitz Yehuda Lindell Erez Petrank Abstract Two settings are traditionally considered for secure
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationLength-Increasing Reductions for PSPACE-Completeness
Length-Increasing Reductions for PSPACE-Completeness John M. Hitchcock 1 and A. Pavan 2 1 Department of Computer Science, University of Wyoming. jhitchco@cs.uwyo.edu 2 Department of Computer Science, Iowa
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationAdaptively Secure Puncturable Pseudorandom Functions in the Standard Model
Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model Susan Hohenberger Johns Hopkins University susan@cs.hu.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu November
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationAdaptively Secure Puncturable Pseudorandom Functions in the Standard Model
Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model Susan Hohenberger 1, Venkata Koppula 2, and Brent Waters 2 1 Johns Hopkins University, Baltimore, USA susan@cs.jhu.edu 2 University
More information1 Distributional problems
CSCI 5170: Computational Complexity Lecture 6 The Chinese University of Hong Kong, Spring 2016 23 February 2016 The theory of NP-completeness has been applied to explain why brute-force search is essentially
More informationOptimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
More informationCSC 5170: Theory of Computational Complexity Lecture 9 The Chinese University of Hong Kong 15 March 2010
CSC 5170: Theory of Computational Complexity Lecture 9 The Chinese University of Hong Kong 15 March 2010 We now embark on a study of computational classes that are more general than NP. As these classes
More informationOutput Compression, MPC, and io for Turing Machines
Output Compression, MPC, and io for Turing Machines Saikrishna Badrinarayanan Rex Fernando Venkata Koppula Amit Sahai Brent Waters Abstract In this work, we study the fascinating notion of output-compressing
More informationFully Bideniable Interactive Encryption
Fully Bideniable Interactive Encryption Ran Canetti Sunoo Park Oxana Poburinnaya January 1, 19 Abstract While standard encryption guarantees secrecy of the encrypted plaintext only against an attacker
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationStatistical WI (and more) in Two Messages
Statistical WI (and more) in Two Messages Yael Tauman Kalai MSR Cambridge, USA. yael@microsoft.com Dakshita Khurana UCLA, USA. dakshita@cs.ucla.edu Amit Sahai UCLA, USA. sahai@cs.ucla.edu Abstract Two-message
More informationImpossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs
Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs Dafna Kidron Yehuda Lindell June 6, 2010 Abstract Universal composability and concurrent general composition
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationNear-Optimal Secret Sharing and Error Correcting Codes in AC 0
Near-Optimal Secret Sharing and Error Correcting Codes in AC 0 Kuan Cheng Yuval Ishai Xin Li December 18, 2017 Abstract We study the question of minimizing the computational complexity of (robust) secret
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationOn the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner 1, Alon Rosen 2, and Ronen Shaltiel 3 1 Microsoft Research, New England Campus. iftach@microsoft.com 2 Herzliya Interdisciplinary
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationParallel Repetition of Zero-Knowledge Proofs and the Possibility of Basing Cryptography on NP-Hardness
Parallel Repetition of Zero-Knowledge Proofs and the Possibility of Basing Cryptography on NP-Hardness Rafael Pass Cornell University rafael@cs.cornell.edu January 29, 2007 Abstract Two long-standing open
More informationLecture 9 - One Way Permutations
Lecture 9 - One Way Permutations Boaz Barak October 17, 2007 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier to do than to reverse. Leonid Levin Quick
More informationTowards a Unified Theory of Cryptographic Agents
Towards a Unified Theory of Cryptographic Agents Shashank Agrawal Shweta Agrawal Manoj Prabhakaran Abstract In recent years there has been a fantastic boom of increasingly sophisticated cryptographic objects
More informationOptimal Error Rates for Interactive Coding II: Efficiency and List Decoding
Optimal Error Rates for Interactive Coding II: Efficiency and List Decoding Mohsen Ghaffari MIT ghaffari@mit.edu Bernhard Haeupler Microsoft Research haeupler@cs.cmu.edu Abstract We study coding schemes
More informationPERFECTLY secure key agreement has been studied recently
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 2, MARCH 1999 499 Unconditionally Secure Key Agreement the Intrinsic Conditional Information Ueli M. Maurer, Senior Member, IEEE, Stefan Wolf Abstract
More informationBounded Key-Dependent Message Security
Bounded Key-Dependent Message Security Boaz Barak Iftach Haitner Dennis Hofheinz Yuval Ishai October 21, 2009 Abstract We construct the first public-key encryption scheme that is proven secure (in the
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation
ZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation Nir Bitansky Omer Paneth February 12, 2015 Abstract We present new constructions of two-message and one-message
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationFully-secure Key Policy ABE on Prime-Order Bilinear Groups
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.
More informationAn Epistemic Characterization of Zero Knowledge
An Epistemic Characterization of Zero Knowledge Joseph Y. Halpern, Rafael Pass, and Vasumathi Raman Computer Science Department Cornell University Ithaca, NY, 14853, U.S.A. e-mail: {halpern, rafael, vraman}@cs.cornell.edu
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More information6.842 Randomness and Computation Lecture 5
6.842 Randomness and Computation 2012-02-22 Lecture 5 Lecturer: Ronitt Rubinfeld Scribe: Michael Forbes 1 Overview Today we will define the notion of a pairwise independent hash function, and discuss its
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationPoint Obfuscation and 3-round Zero-Knowledge
Point Obfuscation and 3-round Zero-Knowledge Nir Bitansky and Omer Paneth Tel Aviv University and Boston University September 21, 2011 Abstract We construct 3-round proofs and arguments with negligible
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationConcurrent Non-malleable Commitments from any One-way Function
Concurrent Non-malleable Commitments from any One-way Function Margarita Vald Tel-Aviv University 1 / 67 Outline Non-Malleable Commitments Problem Presentation Overview DDN - First NMC Protocol Concurrent
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More information5 Pseudorandom Generators
5 Pseudorandom Generators We have already seen that randomness is essential for cryptographic security. Following Kerckhoff s principle, we assume that an adversary knows everything about our cryptographic
More informationProjective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of io All current constructions of io are
More information